Friday, May 18, 2012

Complete DHS Daily Report for May 18, 2012

Daily Report

Top Stories

• Federal authorities established a $150,000 reward to help catch a man who they think sent 380 white-powder envelopes and threatening letters to government offices and schools in Texas since 2008. – CNN (See item 21)

21. May 16, CNN – (Texas) Feds offer $150,000 reward in probe of hundreds of letters with white powder. Federal agents have been stymied in their long search for a man who mails envelopes containing white powder and usually a message of some kind. Investigators from the FBI and U.S. Postal Inspection Service in the Dallas-Fort Worth area in Texas hope that a reward announced May 16 may help locate the individual who has now sent an estimated 380 white-powder envelopes since he first began the practice in 2008. Analysts have developed few clues to date, because the mailer has managed to erase fingerprints or other identifiers. The FBI in Dallas and Washington, D.C. would not comment on whether the individual is the same one who early this year sent white-powder envelopes to dozens of members of Congress. However, the FBI in Dallas said the man seems to have recently focused more on schools than government offices. All of the envelopes proved to be harmless and contained no toxic substances. However, in the past 2 weeks, the man has sent more than 20 white-powder letters to early childhood development centers and elementary schools. Officials stressed that every envelope must be carefully screened. The process is time-consuming and expensive. The reward totals $150,000 for information that leads to the arrest, prosecution, and conviction of the perpetrator. Source:

• New information indicates damage to fruit crops from a devastating April hail storm in the central San Joaquin Valley of California reached $79.3 million. – Fresno Bee (See item 23)

23. May 16, Fresno Bee – (California) April hail caused $79 million in farm damage. Damage to fruit crops from a devastating hail storm in April has reached $79.3 million in the central San Joaquin Valley of California, the Fresno Bee reported May 16. In Kings County — one of the region’s hardest hit — agricultural officials have requested a disaster declaration from the State and U.S. Department of Agriculture. The deputy agriculture commissioner for Kings County said officials recently updated their damage total from $20 million to $25.3 million after receiving additional reports from farmers. Suffering the worst damage in Kings County were nectarine farmers, who lost $7.1 million worth of their crop to the hail. Source:

• McArthur High School in Hollywood, Florida, was the scene of a mass casualty response after a mysterious rash prompted a lockdown that sent 12 students and 2 teachers to hospitals. – South Florida Sun-Sentinel (See item 31)

31. May 16, South Florida Sun-Sentinel – (Florida) Mysterious rash at McArthur High prompts mass casualty hazmat response. McArthur High School in Hollywood, Florida, was the scene of a mass casualty response May 16 after a mysterious rash prompted a lockdown that sent 12 students and 2 teachers to hospitals. The regional HAZMAT response team did not find a residue or other cause of the rash in the school. Meanwhile, 75-80 other students were moved from the affected building to other areas of the school. Responders placed a patient isolation device inside a Broward County bus that was commandeered to transport victims to hospitals. Memorial Regional Hospital prepared for the patients’ arrivals, and outdoor decontamination showers were set up in a parking garage. “After consultation with the hospital’s infection control experts and the department of health’s epidemiology team, we ruled out any infectious conditions,” said a spokesperson for the emergency departments at Memorial and Joe DiMaggio Children’s Hospital. Source:,0,4883047.story?page=1#

• The fire in the Prescott National Forest in Arizona grew to an estimated 5,400 acres, or nearly 8.5 square miles, May 16 — up from about 2,000 acres a day earlier. – Associated Press (See item 47)

47. May 17, Associated Press – (Arizona) Fire that prompted evacuations in Arizona mining town nearly triples in size. The Arizona fire in the Prescott National Forest grew to an estimated 5,400 acres, or nearly 8.5 square miles, May 16 — up from about 2,000 acres a day earlier. High winds have helped fan the flames, and fire officials were expecting similar conditions for the next few days. Most of Crown King’s 350 residents had already evacuated their homes. The fire has destroyed two homes and a trailer. The fire started at an occupied home, but fire investigators have yet to determine the cause. It remained 5 percent contained May 16. Source:


Banking and Finance Sector

11. May 17, U.S. Securities and Exchange Commission – (Pennsylvania; New Jersey) SEC charges New Jersey man in real estate investment scam. The U.S. Securities and Exchange Commission (SEC) May 17 charged a New Jersey man with operating a Ponzi-like scheme involving a series of investment vehicles formed for the purported purpose of purchasing and managing rental apartment buildings in New Jersey and Pennsylvania. The SEC alleges the man induced investors to buy shares in investment vehicles he created through his firm Connolly Properties Inc. He promised investors monthly dividends based on cash-flow profits from rental income at the apartment buildings as well as the growth of their principal from the appreciation of the property. However, the real estate investments did not produce the projected dividends, and he instead made Ponzi-like dividend payments to earlier investors using money from new investors. He also siphoned off at least $2 million in investor funds for personal use. According to the complaint, none of the man’s securities offerings in the investment vehicles were registered with the SEC as required under the federal securities laws. He began offering the investments in 1996 and ultimately raised in excess of $50 million from more than 200 investors in more than 25 investment vehicles. Source:

12. May 16, threatpost – (International) Trojan mimics Chrome installer to steal banking information. Malware impersonating a Google Chrome Installer is stealing data while stripping software used to protect online banking transactions. The trojan at present appears to target users in Brazil and Peru. Trend Micro researchers reported they discovered a malicious file called ChromeSetup.exe hosted in domains such as Facebook, MSN,,, and Google. Most appear tied to Brazil since .br or br. appears in the URLs. Once downloaded, the malware relays an infected machine’s IP address and operating system to a command and control (C&C) server. Then, when a user tries to access a legitimate site, the trojan TSPY_BANKER.EUIQ intercepts the page request and displays a “Loading system security” dialog box while redirecting them to the fake site. Another component of the “Banker” malware uninstalls software called GbPlugin that is designed to protect bank customers during online banking. “It does this through the aid of gb_catchme.exe — a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software,” according to a threats analyst. While analyzing the C&C panel, Trend Micro researchers saw a spike in phone home logs from 400 to almost 6,000 in a 3-hour span — suggesting a malware outbreak or a migration to the C&C server. This represented 3,000 compromised machines, the post said. There is also evidence the malware has evolved since being found in the wild. Initially, it required three components be installed separately. Newer samples suggest all three components are now wrapped into one package. Source:

13. May 16, U.S. Securities and Exchange Commission – (Hawaii; California; International) SEC charges U.S. perpetrators in $35 million international boiler room scheme. The U.S. Securities and Exchange Commission (SEC) May 16 charged a Hawaii resident and two firms he used for setting up a scheme in which he founded small firms, installed management, and recruited overseas boiler rooms that pressured investors into buying their stock while he pocketed more than $2 million in consulting fees. The SEC alleges the man created eight U.S.-based companies to raise money through the sale of Regulation S stock, which is exempt from SEC registration. He handpicked the management, primarily a California man, and set up consulting arrangements through his firms — The Good One Inc. and Kaleidoscope Real Estate Inc. The SEC alleges the California manager drafted misleading materials that were provided to investors by telemarketers recruited primarily in Spain. The boiler rooms raised more than $35 million. Meanwhile, the man instructed the manager and others to trade shares in the companies to create an illusion of activity and manipulate their price upwards. Investors paid for their stock by sending money to United States-based escrow agents. The escrow agents paid 60 to 75 percent of the funds to the boiler rooms, kept 2.5 percent, and paid the rest to the companies that the man created. The companies then funneled about $2.135 million back to the man in the form of consulting fees, and paid the manager about $279,000. Source:

14. May 16, Atlanta Journal-Constitution – (National) New Yorkers who defrauded Atlanta investors convicted. Two New Yorkers who defrauded investors in metro Atlanta and others out of more than $12 million face prison after a federal jury convicted them May 16 of running a Ponzi investment scheme. Federal prosecutors said more than 150 people fell victim to promises by the couple that “sophisticated investors” would see returns of up to 20 percent a month through the couple’s “wealth enhancement club.” Instead, between 2003 and 2007, less than a third of the money collected by the couple’s New York-based ASM Financial Funding Corp. was invested, and all of that money was lost, prosecutors said. The remaining two-thirds of the funds was used for personal gain and to pay off intermediaries who helped recruit investors. Clients were told their profits would either be reinvested or returned to them in the form of monthly payments. The payments to early investors, however, were actually a portion of the money the clients had invested, and not actual earnings. The couple also issued monthly statements and tax forms showing bogus interest income, prosecutors said. For a while, the couple was able to persuade investors not to go to the authorities by promising future payouts, and warned that alerting the authorities could jeopardize those payments. Source:

15. May 15, Longmont Times-Call – (Colorado) Longmont police arrest woman, 64, on suspicion of robbing Wells Fargo Bank. Police have arrested a woman on suspicion of robbing the Wells Fargo Bank inside a Longmont, Colorado Safeway June 9, 2011, and attempting to rob it again on two other occasions. The suspect was arrested outside the bank May 14 after clerks called police to report she was back, according to a Longmont Police commander. According to police, the woman approached tellers at the bank June 9, 2011 with a note demanding cash and threatening to infect the clerk with AIDS. The clerk complied with the demand in the note and the robber got away with an undisclosed amount of money. The police commander said clerks recognized the woman from the first robbery when she returned to the bank March 27. She returned May 14 and clerks recognized her again and immediately called police. She left the bank without delivering her note and officers found her in a vehicle parked in a nearby parking lot. The police commander said a note demanding cash was recovered from her car. Source:

For another story, see item 37 below in the Information Technology Sector

Information Technology

35. May 17, H Security – (International) RealPlayer update fixes security vulnerabilities. RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says none of the now fixed holes are known to have been used to compromise systems. The released update, Version of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser. RealPlayer Versions 11.0 to 11.1 and 14.0.0 to, as well as RealPlayer SP 1.0 to 1.1.5 are affected; RealPlayer for Mac is not vulnerable. RealPlayer — available for Windows 7, Vista SP1, and XP SP3 — corrects these problems. Source:

36. May 17, Softpedia – (International) Worm uses Facebook PMs and instant messaging apps to spread. Researchers from Trend Micro recently reported that a piece of malware, identified as Worm_Steckct.evl, is distributed via a link sent in private messages on Facebook and instant messaging programs. The shortened links contained in the posts point to an archive called “May09- Picture18.JPG_ www(dot)” which hides a file named “May09-Picture18.JPG _www(dot)” The .com extension reveals the malware is an executable file. Once it is run, the worm terminates all the processes and services created by security software, ensuring antivirus applications cannot disrupt its processes. Steckct.evl then downloads another worm, detected as, which monitors the victim’s browsing sessions. It does not only log the posts and private messages the user creates or deletes on Facebook, MySpace, Twitter, WordPress, or Meebo, but it can also spread by utilizing the user’s active session on these sites. Source:

37. May 17, H Security – (International) DoS vulnerability in Bitcoin. The developers of Bitcoin, the anonymous digital currency system, fixed a flaw in the system that allowed malicious users to perform denial-of-service attacks on a victim’s node, causing it to stop receiving updates from the Bitcoin network. To send and receive payments, Bitcoin nodes encode the transfer information into blocks of data that get aggregated into a globally distributed block chain. Each transaction is cryptographically signed and linked to the previous one. For this system to work, the user’s client needs to communicate with the global network frequently to keep up to date with the transactions that have happened since the last time it was online. If a node is isolated from the network for a significant amount of time, it cannot initiate or receive transfers of bitcoins. The developers did not yet explain how the vulnerability in the Bitcoin software can be exploited — they want to give users sufficient time to patch their clients before releasing information that could be used by hackers to reverse engineer a working exploit. They have, however, released version 0.6.2 of the client that fixes the problem. Backports of the fix for versions 0.5.5 and 0.4.6 are also available. The developers stated the vulnerability cannot be used to compromise users’ wallets. Source:

38. May 17, H Security – (International) Security vulnerability in sudo’s netmask function patched. The developers of sudo released updates to the privilege elevating utility to patch a bug that allows an attacker to execute commands they should not be able to access on a remote system. Shortly after, they issued a regular update that includes these fixes along with several new features. Sudo versions 1.8.4p5 and 1.7.9p1 fix a security issue in the program that can allow a legitimate user who is included in the sudoers file to run commands on other hosts. When sudo is asked to run a command by a user, it consults sudoers to see if the user has permission. Sudoers rules include the ability to define permission by the host’s IP address by matching with absolute addresses or matching with a netmask specification. It is the matching with netmasks, which are typically used to allocate users permissions by subnet, where the problem lies. The flaw is present in the IP network matching code of sudo versions 1.6.9p3 through 1.8.4p4. The exploit was reported internally through Red Hat’s Bugzilla bug tracking system and was already fixed in Ubuntu by backporting the fix to older versions of the package. Red Hat is also expected to fix its versions of sudo soon. The project advised all users to update to a patched version of the program as soon as possible. Where they cannot upgrade, users are advised to switch to defining host permissions using IP addresses instead of netmasks. Source:

39. May 17, H Security – (International) Apache details OpenOffice 3.4 security fixes. Following the release of Apache OpenOffice 3.4.0 the week of May 7, the Apache Software Foundation (ASF) detailed the security fixes included in the new version of the open source productivity suite. According to the ASF, the first stable release of OpenOffice under its governance addresses three security vulnerabilities, all of which are rated as “important.” These include an integer overflow error when handling embedded images and a memory overwrite bug when loading WordPerfect files, both of which could allow for the execution of arbitrary code. The third hole is related to unchecked memory allocations in malformed PowerPoint files that the developers say could be used to cause a denial-of-service. Attacks on all these flaws would require the user to open a specially crafted file. 3.3 and the beta version of 3.4 are affected; earlier versions may also be vulnerable. The Security Team advises all users to upgrade to the final 3.4 release. Source:

40. May 16, H Security – (International) Avira update puts behaviour recognition on hold. Security firm Avira disabled the ProActiv behavior recognition module in some of its products with an update. A few days after the release of “Service Pack 0” May 14, the company’s security software unexpectedly blocked the access to important systems components. As a consequence, some computers did not start at all, while others could only be booted in secure mode. May 15, Avira announced it solved the behavior recognition problem with an update. Avira said the patch can be installed by updating manually to solve the problem. What the company did not say is the update simply disables the ProActiv behavior recognition module — which is not even listed in the extended configuration dialog once the update is installed. Source:

For another story, see item 12 above in the Banking and Finance Sector

Communications Sector

See item 36 above in the Information Technology Sector